Given that RocketJoeStaking.sol#deposit() adds liquidity to the pool, and the amount of rewards is modifiable, there should be a slippage control put in check, such that the code itself won’t be vulnerable to front-run attacks(sandwich attacks). This is especially important in transactions that are very large in volume.
Handle
bobi
Vulnerability details
Impact
There is no slippage check on the
deposit()
function onRocketJoeStaking.sol
. This can lead to a potential front-run attack.Proof of Concept
This issue is similar to one that has been previously found via the audit of Paladin, namely Issue #05 of the Trader Joe report.
Given that
RocketJoeStaking.sol#deposit()
adds liquidity to the pool, and the amount of rewards is modifiable, there should be a slippage control put in check, such that the code itself won’t be vulnerable to front-run attacks(sandwich attacks). This is especially important in transactions that are very large in volume.Tools Used
Manual analysis
Recommended Mitigation Steps
One mitigation would be something to follow suite with Paladin’s recommendations on the previously audit code, namely, instead of:
You could have: